I think I mentioned this awhile back, but I still see it happening to a couple users per month. We're in O365.
We'll sometimes get a call that email are missing, usually it's a specific timeframe, and when I look in Recoverable Items I see all the messages missing and they're all deleted around the same time. This activity isn't in the Audit Logs at all and they go directly to Recoverable Items instead of the Deleted Items folder.
Have any of you seen this before? It seems like some sort of sync fuck-up by Outlook, but I can't reproduce it and there are no errors to indicate what's wrong.
0
Options
That_GuyI don't wanna be that guyRegistered Userregular
Some users don't realize that deleting a message on their phone, deletes it in outlook too. I've run into that a few times.
There is potential for that, but I don't think they're deleting hundreds, or in one case thousands, of items in a go on their phone. A few items sure, but I would expect to see those actions in the Audit Logs still.
Feldorn on
0
Options
That_GuyI don't wanna be that guyRegistered Userregular
There is potential for that, but I don't think they're deleting hundreds, or in one case thousands, of items in a go on their phone. A few items sure, but I would expect to see those actions in the Audit Logs still.
Oh my, I didn't realize you were talking about that many emails. I agree that it's pretty sus. Could any of these users have filter rules in place? Sometimes people will setup a rule in OWA and it won't show up in Outlook. And vice versa.
I'm mad at Namecheap because I had solid proof that a website, whose DNS was hosted by Namecheap, was committing identity fraud, and Namecheap's reaction was ¯\_(ツ)_/¯
I got their webhost to take them offline, but Namecheap didn't give a shit.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Remember kids, automation can save you a lot of time, but it can also break a whole lotta shit in a hurry.
Our process for automatic AD account maintenance based on our payroll system's employee status had an "issue" and decided every employee in the company had been terminated and disabled everyone's user accounts. Fortunately it didn't touch the separate domain admin accounts or any of the back-end service accounts so we were able to eventually unwind it. At least only a few people were actively working really late on a Friday to notice, but not exactly how I wanted to spend my night. The devops team isn't going to have a great rest of the weekend though.
Just remember that half the people you meet are below average intelligence.
Remember kids, automation can save you a lot of time, but it can also break a whole lotta shit in a hurry.
Our process for automatic AD account maintenance based on our payroll system's employee status had an "issue" and decided every employee in the company had been terminated and disabled everyone's user accounts. Fortunately it didn't touch the separate domain admin accounts or any of the back-end service accounts so we were able to eventually unwind it. At least only a few people were actively working really late on a Friday to notice, but not exactly how I wanted to spend my night. The devops team isn't going to have a great rest of the weekend though.
We did something similar but in the opposite direction.
As a bit of a backstory, the hospital I work for has created a health network to help absorb operational costs for rural hospitals (which is basically every hospital in our region except for mine). As a part of this, we migrated everyone from some of our affiliate hospitals into our HR management suite, except that project was managed by HR and it wasn't really ran by IT. Of course, AD accounts, permissions, and licensing are done partially automatically based off of the HR system and the user's job code. In one nightly update we blasted through every available license we had for several services!
But before you get started, the following prerequisite is really important.
Do you have either
A) Two AD servers
or One AD server, and one DNS server that is syncing with your AD server?
On all Windows endpoints (all workstations and servers), are the TCP/IP settings configured with them getting DNS from the AD servers?
If they're getting TCP/IP assignments from DHCP, that's okay too, as long as DHCP is giving out the AD servers' IPs as the DNS servers.
We don't have two (which is something I am hoping to rectify soon) but all wired machines get their IP from DHCP on the AD machine, so I do believe it is getting the AD server IP as the DNS. (This may be different for the like, three windows laptops we have which will be on wireless, so I may have to configure those manually or something?)
Why is this particular bit so important, and why would having two AD servers fix it? This is not my particular realm of expertise, you see. Also I posted this question in the sysadmin thread if you just wanna do this over there.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I don't think I've ever seen a good comprehensive tutorial for using group policies and so on.
Don't edit your Default Domain Policy (except if it's for something simple like password settings) and Default Domain Controllers Policy. Too easy to break something if you mess those up.
Easiest way to test GPOs: make a test OU, place 1 user in that and add your user GPOs first to that OU to test the effects.
Same for Computers.
Keep in mind that user settings can only be applied to OUs with users in them and computer settings to OUs with computers in them.
In case of RDS or Citrix servers, google loopback processing.
I think that's the basics. Start out small (user gpo with drive mappings, printer settings, folder redirection and so on).
Keep naming conventions so you don't need to search through a policy to find the settings (for instance USR_Win10_Drive-Mappings_v1 would be a user policy (USR), applied to Win10 clients that set the Drive Mappings). Write thing out first if you find it easier.
I'll elaborate more later if somebody doesn't beat me to it.
Active Directory strongly relies on DNS and is closely integrated with DNS. Many "active directory problems" turn out to be problems with underlying DNS. And a common source of misconfiguration is that workstations are pointed to a DNS server that is not synced up with your AD.
Now, once you configure your workstations to 100% use AD for DNS (or DNS servers synced with AD), then if those self-hosted DNS servers go down, those workstations will find that they can't browse the Internet. If you have only one DNS server, that makes it a single point of failure.
Luckily, Microsoft makes AD and DNS redundancy very easy to set up. If you dedicate a second box or VM, when you install Active Directory, it will prompt you once or twice to include DNS and as long as you leave it checked, the installer will set up all the necessary redundancy and replication for you with minimal input needed from you.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I don't think I've ever seen a good comprehensive tutorial for using group policies and so on.
Don't edit your Default Domain Policy (except if it's for something simple like password settings) and Default Domain Controllers Policy. Too easy to break something if you mess those up.
Easiest way to test GPOs: make a test OU, place 1 user in that and add your user GPOs first to that OU to test the effects.
Same for Computers.
Keep in mind that user settings can only be applied to OUs with users in them and computer settings to OUs with computers in them.
In case of RDS or Citrix servers, google loopback processing.
I think that's the basics. Start out small (user gpo with drive mappings, printer settings, folder redirection and so on).
Keep naming conventions so you don't need to search through a policy to find the settings (for instance USR_Win10_Drive-Mappings_v1 would be a user policy (USR), applied to Win10 clients that set the Drive Mappings). Write thing out first if you find it easier.
These are good guidelines.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
"Don't edit the default domain policy" is honestly scales-falling-from-eyes time. I remember when I took a class where they explained this and I was just awestruck at how much GP suddenly made sense.
Then of course I went back to work and our Default Domain Policy had been edited fucking ages ago and I couldn't get the support of my coworkers to unfuck that pig so haha the good old days.
I don't think I've ever seen a good comprehensive tutorial for using group policies and so on.
Don't edit your Default Domain Policy (except if it's for something simple like password settings) and Default Domain Controllers Policy. Too easy to break something if you mess those up.
Easiest way to test GPOs: make a test OU, place 1 user in that and add your user GPOs first to that OU to test the effects.
Same for Computers.
Keep in mind that user settings can only be applied to OUs with users in them and computer settings to OUs with computers in them.
In case of RDS or Citrix servers, google loopback processing.
I think that's the basics. Start out small (user gpo with drive mappings, printer settings, folder redirection and so on).
Keep naming conventions so you don't need to search through a policy to find the settings (for instance USR_Win10_Drive-Mappings_v1 would be a user policy (USR), applied to Win10 clients that set the Drive Mappings). Write thing out first if you find it easier.
These are good guidelines.
Except for the loopback processing. Don't screw yourself falling into that trap. If you're using it, you're almost certainly using it wrong.
Just remember that half the people you meet are below average intelligence.
I don't think I've ever seen a good comprehensive tutorial for using group policies and so on.
Don't edit your Default Domain Policy (except if it's for something simple like password settings) and Default Domain Controllers Policy. Too easy to break something if you mess those up.
Easiest way to test GPOs: make a test OU, place 1 user in that and add your user GPOs first to that OU to test the effects.
Same for Computers.
Keep in mind that user settings can only be applied to OUs with users in them and computer settings to OUs with computers in them.
In case of RDS or Citrix servers, google loopback processing.
I think that's the basics. Start out small (user gpo with drive mappings, printer settings, folder redirection and so on).
Keep naming conventions so you don't need to search through a policy to find the settings (for instance USR_Win10_Drive-Mappings_v1 would be a user policy (USR), applied to Win10 clients that set the Drive Mappings). Write thing out first if you find it easier.
These are good guidelines.
Except for the loopback processing. Don't screw yourself falling into that trap. If you're using it, you're almost certainly using it wrong.
It's too advanced a topic for an intro to Group Policy, I agree.
But I disagree with the characterization "if you're using it, you're almost certainly using it wrong" in this context. Dizzy brought up RDS/Citrix, which is exactly the use-case where you're most likely to need it.
Either way, SniperGuy should skip it until he has a better grasp of the fundamentals.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I don't think I've ever seen a good comprehensive tutorial for using group policies and so on.
Don't edit your Default Domain Policy (except if it's for something simple like password settings) and Default Domain Controllers Policy. Too easy to break something if you mess those up.
Easiest way to test GPOs: make a test OU, place 1 user in that and add your user GPOs first to that OU to test the effects.
Same for Computers.
Keep in mind that user settings can only be applied to OUs with users in them and computer settings to OUs with computers in them.
In case of RDS or Citrix servers, google loopback processing.
I think that's the basics. Start out small (user gpo with drive mappings, printer settings, folder redirection and so on).
Keep naming conventions so you don't need to search through a policy to find the settings (for instance USR_Win10_Drive-Mappings_v1 would be a user policy (USR), applied to Win10 clients that set the Drive Mappings). Write thing out first if you find it easier.
These are good guidelines.
Except for the loopback processing. Don't screw yourself falling into that trap. If you're using it, you're almost certainly using it wrong.
It's too advanced a topic for an intro to Group Policy, I agree.
But I disagree with the characterization "if you're using it, you're almost certainly using it wrong" in this context. Dizzy brought up RDS/Citrix, which is exactly the use-case where you're most likely to need it.
Either way, SniperGuy should skip it until he has a better grasp of the fundamentals.
I say it exactly because it is an advanced topic and despite the "correct" use case, the implications and how it impacts rule application are in my experience usually misunderstood, leading to rules being applied in unexpected or unintended ways. And there's nothing loopback gives you that you can't do with normal GPO processing and permissions, which are both easier to understand and easier to troubleshoot in general.
Just remember that half the people you meet are below average intelligence.
And there's nothing loopback gives you that you can't do with normal GPO processing and permissions, which are both easier to understand and easier to troubleshoot in general.
Wooooooooooooooooooooooof strong disagree there.
The purpose of loopback processing is to change user-level settings based on which machine the user is logged into.
For example: maybe you want to turn off Outlook Cached Exchange Mode or change the OST path when the user is logged into a remote desktop server, but leave it at the default when they're using their normal workstation.
The administrative templates for Office put those settings in the user policy area.
Do you have a method to do that without loopback processing (that is elegant and easy to manage)?
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
And there's nothing loopback gives you that you can't do with normal GPO processing and permissions, which are both easier to understand and easier to troubleshoot in general.
Wooooooooooooooooooooooof strong disagree there.
The purpose of loopback processing is to change user-level settings based on which machine the user is logged into.
For example: maybe you want to turn off Outlook Cached Exchange Mode or change the OST path when the user is logged into a remote desktop server, but leave it at the default when they're using their normal workstation.
The administrative templates for Office put those settings in the user policy area.
Do you have a method to do that without loopback processing (that is elegant and easy to manage)?
For user GPO's to apply it also requires the computer to have permission to read them. So for example the permission delegation for a Citrix user setting GPO would remove the default "Authenticated Users" and only include the "Citrix Users" and "Citrix Computers" groups to only apply that GPO when those users were logged into the Citrix hosts. Then you can use the Link Order precedence to have the Citrix GPO be preferred (lower number) over the user's normal workstation-applicable GPO so it "wins" if the user is on a Citrix host. And because the user's workstation is not in the "Citrix Computers" group, it simply never applies if they log into their workstation.
Let me give a counter example. What happens when you use loopback and are then told to make an exception for certain users? You can't. The policy gets applied to every user regardless even if you give a Deny permission on that GPO to those users because it's not the user reading and applying the policy, it's the computer. And the loopbacked computer policy always takes precedence over any other user policy you might apply.
SiliconStew on
Just remember that half the people you meet are below average intelligence.
Let me give a counter example. What happens when you use loopback and are then told to make an exception for certain users? You can't. The policy gets applied to every user regardless even if you give a Deny permission on that GPO to those users because it's not the user reading and applying the policy, it's the computer. And the loopbacked computer policy always takes precedence over any other user policy you might apply.
You're usually right on the money when it comes to Microsoft stuff, but in this particular instance, this is incorrect. You can use the typical security filtering and precedence settings just like any other GPO. (A quick Googling suggests that it's been this way since Windows Vista & Windows Server 2008.)
I'd been doing it this way for a while, but to be 100% sure (because your MS game is strong), I just tested it.
If you want to override a loopback-applied policy for a specific user, you just put another policy in the same OU with a lower precedence number, and limit the overriding policy to a smaller scope of users.
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Okay so more basically, I'm trying to set it up so that an OU of computers gets a Wallpaper. I've set it to do that, made firewall changes in the same GPO I set the wallpaper change. I've also made a separate GPO that should push out our filtering certificate according to the instructions from the filter folk. I couldn't do an update from the server until I did a gpupdate /force on the computer, and then I could, presumably because the firewall change worked.
But the wallpaper didn't change and the securely certificate isn't working. So maybe I need to figure out a more basic set of steps to do this. I assume GPO applies to the computer, and not necessarily the user? I've only got like, an administrator and two regular users in AD right now. What's the basic stuff I'm definitely missing?
Okay so more basically, I'm trying to set it up so that an OU of computers gets a Wallpaper. I've set it to do that, made firewall changes in the same GPO I set the wallpaper change. I've also made a separate GPO that should push out our filtering certificate according to the instructions from the filter folk. I couldn't do an update from the server until I did a gpupdate /force on the computer, and then I could, presumably because the firewall change worked.
But the wallpaper didn't change and the securely certificate isn't working. So maybe I need to figure out a more basic set of steps to do this. I assume GPO applies to the computer, and not necessarily the user? I've only got like, an administrator and two regular users in AD right now. What's the basic stuff I'm definitely missing?
Wallpaper is a user setting, not a computer setting.
Run in a command prompt gpresult /r (edit on the client/test computer), it should show you which GPOs were applied and if they were not applied why (filtering etc).
Okay well, gpresult /r shows that I am indeed getting the GPO for wallpaper, the default wallpaper went away, but the image I tried to use isn't working. It's not a full size wallpaper, so maybe that's why?
gpresult will only show me the user GPOs and not the computer GPOs? I've got the one security certificate too that isn't coming through. Basically I think I just need a beginner's guide that walks me through setting some of this stuff up because there's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about. There's a lot of interaction I can't figure out.
gpresult has multiple parameters, /r should show you both user and computer GPOs.
Size of the wallpaper could be an issue, filetype could also be an issue. Location of the wallpaper set in the GPO could be the issue. Too little information to say right now.
Okay well, gpresult /r shows that I am indeed getting the GPO for wallpaper, the default wallpaper went away, but the image I tried to use isn't working. It's not a full size wallpaper, so maybe that's why?
gpresult will only show me the user GPOs and not the computer GPOs? I've got the one security certificate too that isn't coming through. Basically I think I just need a beginner's guide that walks me through setting some of this stuff up because there's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about. There's a lot of interaction I can't figure out.
"gpresult /R" only displays computer GPO's if you've run the command prompt as an administrator. And you can get just the computer GPO's by using "gpresult /R /SCOPE:COMPUTER" in case it throws an error about no RSOP results for that admin user, which can happen if the account has never logged into the computer before (the account's never had any policies applied to it for gpresult to read).
I'd also recommend opening mmc and loading the Resultant Set of Policy snapin to further troubleshoot. It'll show you why a policy is not applied (wrong permissions, etc) and it'll show exactly which policy settings are active in the same tree layout as settings in Group Policy Management window. You may find a setting is missing or not the expected value (overriden by other policies).
SiliconStew on
Just remember that half the people you meet are below average intelligence.
Figured out the wallpaper and I got the security certificate working! The problem: I was being dumb! Unsurprising.
Thanks for the help everyone! Now to figure out what else to add for GPOs, how to add all the students from Gsuite, seeing if I can get the macs hooked up to this...
Okay well, gpresult /r shows that I am indeed getting the GPO for wallpaper, the default wallpaper went away, but the image I tried to use isn't working. It's not a full size wallpaper, so maybe that's why?
gpresult will only show me the user GPOs and not the computer GPOs? I've got the one security certificate too that isn't coming through. Basically I think I just need a beginner's guide that walks me through setting some of this stuff up because there's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about. There's a lot of interaction I can't figure out.
If it's any consolation, you're running into a common challenge that a lot of newbies have with Group Policy.
Basically, it's this pattern:
1) Apply GPO to deliver [X].
2) [X] doesn't work.
3) Newbie: "Why is my GPO broken?"
Often, the problem isn't with Group Policy, the problem is that the payload [X] is itself incompatible or otherwise broken.
Let me illustrate this with a really stupid thought experiment.
Imagine that you created a Group Policy that delivered a plain ASCII text file, and attempted to set the desktop wallpaper to this text file. Obviously that's not going to work, because a text file can't be a wallpaper! But that's not a problem with Group Policy. The Group Policy could be working perfectly, it's just trying to deliver a silly payload.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
You said "here's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about"
Do you feel comfortable with basic navigation and organization in Active Directory Users and Computers?
In other words, when you go into Active Directory Users and Computers to create users, create security groups, or move objects around to different OUs, do you feel like you mostly know what you're doing?
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Figured out the wallpaper and I got the security certificate working! The problem: I was being dumb! Unsurprising.
Thanks for the help everyone! Now to figure out what else to add for GPOs, how to add all the students from Gsuite, seeing if I can get the macs hooked up to this...
What was the actual problem?
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
You said "here's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about"
Do you feel comfortable with basic navigation and organization in Active Directory Users and Computers?
In other words, when you go into Active Directory Users and Computers to create users, create security groups, or move objects around to different OUs, do you feel like you mostly know what you're doing?
In that I know what users and objects are, yes. I do not totally know what a security group is. I created an OU for computers and one for student users and have figured out how to create GPOs that link into those group. I moved the users I created so far into that student OU, and the one computer I'm using to test into the computer OU. And now I understand that separate GPOs apply to either computers or users and it's pretty easy to tell which is which.
the wallpaper thing was me assuming if I designated the location locally, it would distribute somehow. I had to instead setup a folder that is a hidden share and stuck the wallpaper in there and used the UNC thing to point at it instead. Which I assume is okay to do, because it worked.
So, yeah, mostly? In that mostly is more than 50%?
You said "here's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about"
Do you feel comfortable with basic navigation and organization in Active Directory Users and Computers?
In other words, when you go into Active Directory Users and Computers to create users, create security groups, or move objects around to different OUs, do you feel like you mostly know what you're doing?
In that I know what users and objects are, yes. I do not totally know what a security group is. I created an OU for computers and one for student users and have figured out how to create GPOs that link into those group. I moved the users I created so far into that student OU, and the one computer I'm using to test into the computer OU. And now I understand that separate GPOs apply to either computers or users and it's pretty easy to tell which is which.
the wallpaper thing was me assuming if I designated the location locally, it would distribute somehow. I had to instead setup a folder that is a hidden share and stuck the wallpaper in there and used the UNC thing to point at it instead. Which I assume is okay to do, because it worked.
So, yeah, mostly? In that mostly is more than 50%?
Okay cool. So you've got some basics down, including:
- Create your own OUs instead of using the default OUs
- Don't mix user objects and computer objects in the same OUs
As for security groups:
On their own, security groups do nothing. (The exception to this guideline is that the built-in security groups, like "Domain Admins", feed into other features of AD so adding somebody to one of those groups will alter their privileges or permissions.)
But a security group might be specified elsewhere, like in file permissions, or in a group policy, to narrow down the users or computers affected.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
If I can make a small suggestion, I know I'm not a Microsoft guy anymore but I used to be one and played one brilliantly on TV:
If this is your first time cracking your knuckles and getting into AD and GP, and training is out of the question (as I assume the school admin bristling at the idea of spending more money on your department), hit up some Udemy crash courses, or something similar. They're usually pretty cheap, not nearly as complete as you need them to be to get your MS certs, but they'd be a hell of a lot better than slowly but surely learning everything through a forum thread.
Because there's a lot there. There was a lot there when I was working with it 10+ years ago, and that was 10+ years ago, there's sure to be a lot more now. For every cool thing you can do with it there's 100 ways you can royally fuck everything up to the point where you're up at 9 PM trying to unfuck what you did and crying and wishing you'd never been born.
Not saying you shouldn't still ask us questions, or that Feral and Stew wouldn't be willing to help, but they're only going to be able to help you with things they know you're struggling with, and they only know what you're struggling with based on what you tell them. You may find yourself struggling with something you don't even realize is a thing, until it bites you in the ass.
If I can make a small suggestion, I know I'm not a Microsoft guy anymore but I used to be one and played one brilliantly on TV:
If this is your first time cracking your knuckles and getting into AD and GP, and training is out of the question (as I assume the school admin bristling at the idea of spending more money on your department), hit up some Udemy crash courses, or something similar. They're usually pretty cheap, not nearly as complete as you need them to be to get your MS certs, but they'd be a hell of a lot better than slowly but surely learning everything through a forum thread.
Because there's a lot there. There was a lot there when I was working with it 10+ years ago, and that was 10+ years ago, there's sure to be a lot more now. For every cool thing you can do with it there's 100 ways you can royally fuck everything up to the point where you're up at 9 PM trying to unfuck what you did and crying and wishing you'd never been born.
Not saying you shouldn't still ask us questions, or that Feral and Stew wouldn't be willing to help, but they're only going to be able to help you with things they know you're struggling with, and they only know what you're struggling with based on what you tell them. You may find yourself struggling with something you don't even realize is a thing, until it bites you in the ass.
yeah, I totally agree. I was thinking about Udemy specifically. I just didn't want to recommend a resource that I couldn't personally vouch for.
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
You said "here's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about"
Do you feel comfortable with basic navigation and organization in Active Directory Users and Computers?
In other words, when you go into Active Directory Users and Computers to create users, create security groups, or move objects around to different OUs, do you feel like you mostly know what you're doing?
In that I know what users and objects are, yes. I do not totally know what a security group is. I created an OU for computers and one for student users and have figured out how to create GPOs that link into those group. I moved the users I created so far into that student OU, and the one computer I'm using to test into the computer OU. And now I understand that separate GPOs apply to either computers or users and it's pretty easy to tell which is which.
the wallpaper thing was me assuming if I designated the location locally, it would distribute somehow. I had to instead setup a folder that is a hidden share and stuck the wallpaper in there and used the UNC thing to point at it instead. Which I assume is okay to do, because it worked.
So, yeah, mostly? In that mostly is more than 50%?
Well a Group in AD is simply a collection of user or computer objects that you specify. For example, if you have users A, B, C, D, E, and F, you could set up three groups (right click on an OU in Active Directory Users and Computers and go to New -> Group) for "Accounting Users", "Marketing Users", "Whole Company". You could put users A, B, and C in "Accounting Users", put users D, and E in "Marketing Users", and put A, B, C, D, E, and F in "Whole Company".
Then when you go to assign permissions to things, for example the file share access for your wallpaper or the GPO's themselves, you add your "Accounting Users" group to it instead of the individual user accounts (and make sure to remove the default permissions that tend to allow access to everyone). You are controlling the security for the fileshare with these groups, that's why they are called "Security Groups". Then anyone you have in "Accounting Users" can access that fileshare and users not in "Accounting Users" will not have access to that fileshare. You can do the same with computer accounts in their own security groups. So if you only wanted to set wallpapers on the Marketing people, you could set your fileshare and GPO security to only apply settings to the "Marketing Users" group and/or the "Marketing Computers" group.
The other benefit is you can now alter the group membership (add or remove people/computers from it) to allow access to say your fileshare without needing to go back and touch the security settings on the fileshare itself. If you had instead used individual user accounts to configure security and wanted to remove someone, you'd have to go back and touch every single place that user account was used for security. This is both a maintenance nightmare and easy to forget everywhere it might be. By using Security Groups to control access, you just make those changes in a single spot and it automatically updates across your entire infrastructure.
When you do go and create a Group in AD, there is an option to pick the "Group Type" between "Security" and "Distribution". A Security group is used in places you need to control access. A Distribution group is to use for emailing a group of people and has an email address associated with it. A distribution group cannot be used to control access and will not appear as an option when you go to pick accounts and groups in a security dialog. As a side note, you can attach an email address to a Security Group if needed, but that is called a Mail-Enabled Security Group and not to be confused with a regular Distribution group.
There are also options to pick a "Group Scope" when creating a new group, but until you start getting into multi-domain/multi-forest scenarios, the default "Global" scope is fine.
You can also include groups inside other groups. For example, you could have "New York Accounting Users" and "Chicago Accouting Users" groups and you could add those two groups as members of a generic "Accouting Users" group. Then if you use just the "Accounting Users" group for security somewhere, even if "Accounting Users" only includes those two groups and no actual user accounts, anyone in either New York or Chicago groups would be able to access that thing.
Just remember that half the people you meet are below average intelligence.
Make sure you have backups, and then make sure that they can restore properly. Especially when learning the ropes, there is nothing worse than the feeling of dread when you make a mistake and then have to figure out when your last usable backup is, and then figuring out how to restore it. Veeam is a good option as it is very flexible, it is also free to use the Community Edition and allows for image, VM, file, etc backups.
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Make sure you have backups, and then make sure that they can restore properly. Especially when learning the ropes, there is nothing worse than the feeling of dread when you make a mistake and then have to figure out when your last usable backup is, and then figuring out how to restore it. Veeam is a good option as it is very flexible, it is also free to use the Community Edition and allows for image, VM, file, etc backups.
We actually have Veeam! We've only got the one VMWare AD server, but we have Veeam making regular automatic backups of the whole thing. Hoping to get a second server for redundancy soon.
Posts
We'll sometimes get a call that email are missing, usually it's a specific timeframe, and when I look in Recoverable Items I see all the messages missing and they're all deleted around the same time. This activity isn't in the Audit Logs at all and they go directly to Recoverable Items instead of the Deleted Items folder.
Have any of you seen this before? It seems like some sort of sync fuck-up by Outlook, but I can't reproduce it and there are no errors to indicate what's wrong.
Oh my, I didn't realize you were talking about that many emails. I agree that it's pretty sus. Could any of these users have filter rules in place? Sometimes people will setup a rule in OWA and it won't show up in Outlook. And vice versa.
Gotta imagine they're processing a bunch of refund requests every day now.
I got their webhost to take them offline, but Namecheap didn't give a shit.
the "no true scotch man" fallacy.
https://ic3.gov/
That's not a bad idea. I stopped after I got their website shut down. I probably still have all the evidence somewhere.
the "no true scotch man" fallacy.
Our process for automatic AD account maintenance based on our payroll system's employee status had an "issue" and decided every employee in the company had been terminated and disabled everyone's user accounts. Fortunately it didn't touch the separate domain admin accounts or any of the back-end service accounts so we were able to eventually unwind it. At least only a few people were actively working really late on a Friday to notice, but not exactly how I wanted to spend my night. The devops team isn't going to have a great rest of the weekend though.
We did something similar but in the opposite direction.
As a bit of a backstory, the hospital I work for has created a health network to help absorb operational costs for rural hospitals (which is basically every hospital in our region except for mine). As a part of this, we migrated everyone from some of our affiliate hospitals into our HR management suite, except that project was managed by HR and it wasn't really ran by IT. Of course, AD accounts, permissions, and licensing are done partially automatically based off of the HR system and the user's job code. In one nightly update we blasted through every available license we had for several services!
and also setup users somehow.
Who's got the tutorials that make sense and aren't cryptic and written 8 years ago they like that they can share with me?
Most of this seems relatively straightforward, but also pretty easy to fuck up if I do it wrong.
the "no true scotch man" fallacy.
Don't edit your Default Domain Policy (except if it's for something simple like password settings) and Default Domain Controllers Policy. Too easy to break something if you mess those up.
Easiest way to test GPOs: make a test OU, place 1 user in that and add your user GPOs first to that OU to test the effects.
Same for Computers.
Keep in mind that user settings can only be applied to OUs with users in them and computer settings to OUs with computers in them.
In case of RDS or Citrix servers, google loopback processing.
I think that's the basics. Start out small (user gpo with drive mappings, printer settings, folder redirection and so on).
Keep naming conventions so you don't need to search through a policy to find the settings (for instance USR_Win10_Drive-Mappings_v1 would be a user policy (USR), applied to Win10 clients that set the Drive Mappings). Write thing out first if you find it easier.
I'll elaborate more later if somebody doesn't beat me to it.
Active Directory strongly relies on DNS and is closely integrated with DNS. Many "active directory problems" turn out to be problems with underlying DNS. And a common source of misconfiguration is that workstations are pointed to a DNS server that is not synced up with your AD.
Now, once you configure your workstations to 100% use AD for DNS (or DNS servers synced with AD), then if those self-hosted DNS servers go down, those workstations will find that they can't browse the Internet. If you have only one DNS server, that makes it a single point of failure.
Luckily, Microsoft makes AD and DNS redundancy very easy to set up. If you dedicate a second box or VM, when you install Active Directory, it will prompt you once or twice to include DNS and as long as you leave it checked, the installer will set up all the necessary redundancy and replication for you with minimal input needed from you.
the "no true scotch man" fallacy.
These are good guidelines.
the "no true scotch man" fallacy.
Then of course I went back to work and our Default Domain Policy had been edited fucking ages ago and I couldn't get the support of my coworkers to unfuck that pig so haha the good old days.
The good old days.
Except for the loopback processing. Don't screw yourself falling into that trap. If you're using it, you're almost certainly using it wrong.
It's too advanced a topic for an intro to Group Policy, I agree.
But I disagree with the characterization "if you're using it, you're almost certainly using it wrong" in this context. Dizzy brought up RDS/Citrix, which is exactly the use-case where you're most likely to need it.
Either way, SniperGuy should skip it until he has a better grasp of the fundamentals.
the "no true scotch man" fallacy.
I say it exactly because it is an advanced topic and despite the "correct" use case, the implications and how it impacts rule application are in my experience usually misunderstood, leading to rules being applied in unexpected or unintended ways. And there's nothing loopback gives you that you can't do with normal GPO processing and permissions, which are both easier to understand and easier to troubleshoot in general.
Wooooooooooooooooooooooof strong disagree there.
The purpose of loopback processing is to change user-level settings based on which machine the user is logged into.
For example: maybe you want to turn off Outlook Cached Exchange Mode or change the OST path when the user is logged into a remote desktop server, but leave it at the default when they're using their normal workstation.
The administrative templates for Office put those settings in the user policy area.
Do you have a method to do that without loopback processing (that is elegant and easy to manage)?
the "no true scotch man" fallacy.
For user GPO's to apply it also requires the computer to have permission to read them. So for example the permission delegation for a Citrix user setting GPO would remove the default "Authenticated Users" and only include the "Citrix Users" and "Citrix Computers" groups to only apply that GPO when those users were logged into the Citrix hosts. Then you can use the Link Order precedence to have the Citrix GPO be preferred (lower number) over the user's normal workstation-applicable GPO so it "wins" if the user is on a Citrix host. And because the user's workstation is not in the "Citrix Computers" group, it simply never applies if they log into their workstation.
Let me give a counter example. What happens when you use loopback and are then told to make an exception for certain users? You can't. The policy gets applied to every user regardless even if you give a Deny permission on that GPO to those users because it's not the user reading and applying the policy, it's the computer. And the loopbacked computer policy always takes precedence over any other user policy you might apply.
You're usually right on the money when it comes to Microsoft stuff, but in this particular instance, this is incorrect. You can use the typical security filtering and precedence settings just like any other GPO. (A quick Googling suggests that it's been this way since Windows Vista & Windows Server 2008.)
I'd been doing it this way for a while, but to be 100% sure (because your MS game is strong), I just tested it.
If you want to override a loopback-applied policy for a specific user, you just put another policy in the same OU with a lower precedence number, and limit the overriding policy to a smaller scope of users.
the "no true scotch man" fallacy.
But the wallpaper didn't change and the securely certificate isn't working. So maybe I need to figure out a more basic set of steps to do this. I assume GPO applies to the computer, and not necessarily the user? I've only got like, an administrator and two regular users in AD right now. What's the basic stuff I'm definitely missing?
Wallpaper is a user setting, not a computer setting.
Run in a command prompt gpresult /r (edit on the client/test computer), it should show you which GPOs were applied and if they were not applied why (filtering etc).
gpresult will only show me the user GPOs and not the computer GPOs? I've got the one security certificate too that isn't coming through. Basically I think I just need a beginner's guide that walks me through setting some of this stuff up because there's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about. There's a lot of interaction I can't figure out.
Size of the wallpaper could be an issue, filetype could also be an issue. Location of the wallpaper set in the GPO could be the issue. Too little information to say right now.
"gpresult /R" only displays computer GPO's if you've run the command prompt as an administrator. And you can get just the computer GPO's by using "gpresult /R /SCOPE:COMPUTER" in case it throws an error about no RSOP results for that admin user, which can happen if the account has never logged into the computer before (the account's never had any policies applied to it for gpresult to read).
I'd also recommend opening mmc and loading the Resultant Set of Policy snapin to further troubleshoot. It'll show you why a policy is not applied (wrong permissions, etc) and it'll show exactly which policy settings are active in the same tree layout as settings in Group Policy Management window. You may find a setting is missing or not the expected value (overriden by other policies).
Thanks for the help everyone! Now to figure out what else to add for GPOs, how to add all the students from Gsuite, seeing if I can get the macs hooked up to this...
@SniperGuy
If it's any consolation, you're running into a common challenge that a lot of newbies have with Group Policy.
Basically, it's this pattern:
1) Apply GPO to deliver [X].
2) [X] doesn't work.
3) Newbie: "Why is my GPO broken?"
Often, the problem isn't with Group Policy, the problem is that the payload [X] is itself incompatible or otherwise broken.
Let me illustrate this with a really stupid thought experiment.
Imagine that you created a Group Policy that delivered a plain ASCII text file, and attempted to set the desktop wallpaper to this text file. Obviously that's not going to work, because a text file can't be a wallpaper! But that's not a problem with Group Policy. The Group Policy could be working perfectly, it's just trying to deliver a silly payload.
the "no true scotch man" fallacy.
Step back from Group Policy for a moment.
You said "here's a whole lot of buttons and groups and OUs and things in here that I'm not totally sure about"
Do you feel comfortable with basic navigation and organization in Active Directory Users and Computers?
In other words, when you go into Active Directory Users and Computers to create users, create security groups, or move objects around to different OUs, do you feel like you mostly know what you're doing?
the "no true scotch man" fallacy.
What was the actual problem?
the "no true scotch man" fallacy.
In that I know what users and objects are, yes. I do not totally know what a security group is. I created an OU for computers and one for student users and have figured out how to create GPOs that link into those group. I moved the users I created so far into that student OU, and the one computer I'm using to test into the computer OU. And now I understand that separate GPOs apply to either computers or users and it's pretty easy to tell which is which.
the wallpaper thing was me assuming if I designated the location locally, it would distribute somehow. I had to instead setup a folder that is a hidden share and stuck the wallpaper in there and used the UNC thing to point at it instead. Which I assume is okay to do, because it worked.
So, yeah, mostly? In that mostly is more than 50%?
Okay cool. So you've got some basics down, including:
- Create your own OUs instead of using the default OUs
- Don't mix user objects and computer objects in the same OUs
As for security groups:
On their own, security groups do nothing. (The exception to this guideline is that the built-in security groups, like "Domain Admins", feed into other features of AD so adding somebody to one of those groups will alter their privileges or permissions.)
But a security group might be specified elsewhere, like in file permissions, or in a group policy, to narrow down the users or computers affected.
the "no true scotch man" fallacy.
If this is your first time cracking your knuckles and getting into AD and GP, and training is out of the question (as I assume the school admin bristling at the idea of spending more money on your department), hit up some Udemy crash courses, or something similar. They're usually pretty cheap, not nearly as complete as you need them to be to get your MS certs, but they'd be a hell of a lot better than slowly but surely learning everything through a forum thread.
Because there's a lot there. There was a lot there when I was working with it 10+ years ago, and that was 10+ years ago, there's sure to be a lot more now. For every cool thing you can do with it there's 100 ways you can royally fuck everything up to the point where you're up at 9 PM trying to unfuck what you did and crying and wishing you'd never been born.
Not saying you shouldn't still ask us questions, or that Feral and Stew wouldn't be willing to help, but they're only going to be able to help you with things they know you're struggling with, and they only know what you're struggling with based on what you tell them. You may find yourself struggling with something you don't even realize is a thing, until it bites you in the ass.
yeah, I totally agree. I was thinking about Udemy specifically. I just didn't want to recommend a resource that I couldn't personally vouch for.
the "no true scotch man" fallacy.
Well a Group in AD is simply a collection of user or computer objects that you specify. For example, if you have users A, B, C, D, E, and F, you could set up three groups (right click on an OU in Active Directory Users and Computers and go to New -> Group) for "Accounting Users", "Marketing Users", "Whole Company". You could put users A, B, and C in "Accounting Users", put users D, and E in "Marketing Users", and put A, B, C, D, E, and F in "Whole Company".
Then when you go to assign permissions to things, for example the file share access for your wallpaper or the GPO's themselves, you add your "Accounting Users" group to it instead of the individual user accounts (and make sure to remove the default permissions that tend to allow access to everyone). You are controlling the security for the fileshare with these groups, that's why they are called "Security Groups". Then anyone you have in "Accounting Users" can access that fileshare and users not in "Accounting Users" will not have access to that fileshare. You can do the same with computer accounts in their own security groups. So if you only wanted to set wallpapers on the Marketing people, you could set your fileshare and GPO security to only apply settings to the "Marketing Users" group and/or the "Marketing Computers" group.
The other benefit is you can now alter the group membership (add or remove people/computers from it) to allow access to say your fileshare without needing to go back and touch the security settings on the fileshare itself. If you had instead used individual user accounts to configure security and wanted to remove someone, you'd have to go back and touch every single place that user account was used for security. This is both a maintenance nightmare and easy to forget everywhere it might be. By using Security Groups to control access, you just make those changes in a single spot and it automatically updates across your entire infrastructure.
When you do go and create a Group in AD, there is an option to pick the "Group Type" between "Security" and "Distribution". A Security group is used in places you need to control access. A Distribution group is to use for emailing a group of people and has an email address associated with it. A distribution group cannot be used to control access and will not appear as an option when you go to pick accounts and groups in a security dialog. As a side note, you can attach an email address to a Security Group if needed, but that is called a Mail-Enabled Security Group and not to be confused with a regular Distribution group.
There are also options to pick a "Group Scope" when creating a new group, but until you start getting into multi-domain/multi-forest scenarios, the default "Global" scope is fine.
You can also include groups inside other groups. For example, you could have "New York Accounting Users" and "Chicago Accouting Users" groups and you could add those two groups as members of a generic "Accouting Users" group. Then if you use just the "Accounting Users" group for security somewhere, even if "Accounting Users" only includes those two groups and no actual user accounts, anyone in either New York or Chicago groups would be able to access that thing.
We actually have Veeam! We've only got the one VMWare AD server, but we have Veeam making regular automatic backups of the whole thing. Hoping to get a second server for redundancy soon.